# 5G and 6G Security Architecture
Definition
5G (fifth-generation) wireless technology is the current standard for mobile communications, succeeding 4G LTE. It delivers significantly higher data rates, lower latency, and greater connection density than its predecessors, enabling applications including industrial IoT, autonomous vehicles, smart city infrastructure, and mission-critical communications. 6G, the anticipated sixth generation, is in early research and standardization phases with commercial deployment expected around 2030.
Security architecture in mobile networks defines how subscribers are authenticated, how their identities are protected, how communications are encrypted, and how the network infrastructure itself is secured. Each generation of mobile technology has introduced security improvements in response to demonstrated vulnerabilities in the prior generation, and 5G is the most security-conscious generation yet, incorporating lessons from the pervasive exploitation of SS7 (Signaling System 7) vulnerabilities and the active use of IMSI catchers (fake cell towers) against 4G and earlier networks.
Understanding 5G security requires understanding both its genuine improvements and its inherited weaknesses. The improvements are real and meaningful. The weaknesses are also real: they stem largely from backward compatibility requirements with legacy networks that cannot be patched out of the 5G standard without breaking the global roaming infrastructure that connects billions of devices.
How It Works
4G LTE transmitted the International Mobile Subscriber Identity (IMSI) in cleartext in certain circumstances, most notably when a device first attaches to a network or roams to a new network. The IMSI is the permanent identifier tied to the SIM card. Surveillance devices called IMSI catchers (commercially available devices often referred to as Stingrays, after a brand used by U.S. law enforcement) exploit this by posing as legitimate cell towers, forcing nearby devices to connect and transmit their IMSIs. This enables passive tracking of device locations and identities without any interaction with the carrier network.
5G's response to this vulnerability is Subscriber Concealed Identifier (SUCI). Instead of transmitting the raw IMSI (now called SUPI, Subscription Permanent Identifier, in 5G terminology), the device encrypts the SUPI using the home network's public key before transmitting it. The serving network (which may be a roaming partner, not the home network) receives only the encrypted SUCI, which it cannot decrypt. Only the home network can decrypt the SUCI to recover the SUPI. This prevents a passive eavesdropper or fake base station from learning the subscriber's permanent identity from intercepted transmissions.
Mutual authentication is the second major 5G improvement over 4G. In 4G, only the device authenticates to the network, using credentials on the SIM. The network does not authenticate itself to the device. This asymmetry enables fake base stations to attract device connections: the device has no way to verify that the tower it is connecting to is a legitimate carrier base station. In 5G Standalone (SA) architecture, the Authentication and Key Agreement protocol (5G-AKA and EAP-AKA') requires the network to demonstrate knowledge of authentication vectors that only the legitimate home network can possess. This closes the fake base station attack vector in deployments that fully implement the 5G SA architecture.
Network slicing is a 5G capability that creates multiple logically separate networks (slices) on shared physical infrastructure. An enterprise operating a private 5G network for a factory floor can have a dedicated slice with strict quality-of-service guarantees and security policies (including isolation from consumer traffic) while sharing the underlying radio and core infrastructure with the carrier's consumer network. Security policies, including access controls and traffic inspection, can be configured independently per slice. This creates opportunities for granular security architecture: a manufacturing slice with strict OT device policies, a corporate mobility slice with different controls, and a guest access slice with limited permissions.
Security edge protection proxies (SEPPs) protect the signaling interface between carrier networks during roaming. In 4G, the interconnect between carriers (the N32 interface in 5G terminology, using the Diameter protocol in 4G) was a known attack path for intercepting or manipulating inter-carrier signaling. 5G SEPPs apply end-to-end protection to signaling messages crossing network boundaries.
Why It Matters
Despite its improvements, 5G retains a critical weakness: mandatory interoperability with legacy 2G, 3G, and 4G networks. The global mobile ecosystem requires that subscribers be reachable when roaming internationally, including in regions where infrastructure upgrades lag behind. This means 5G networks must support signaling protocols and authentication mechanisms inherited from previous generations, including SS7.
SS7 (Signaling System 7) is a suite of protocols developed in the 1970s for circuit-switched telephony. It provides the signaling infrastructure for call routing, SMS delivery, and roaming authentication across carriers worldwide. SS7 was designed for a world in which only a small number of trusted carrier networks could send SS7 messages. That assumption is no longer valid: the ability to send SS7 messages can be purchased from certain carriers and resellers, and the protocol has no authentication, meaning any party with SS7 access can send messages impersonating any carrier.
SS7 vulnerabilities enable call interception, SMS interception (including two-factor authentication codes sent via SMS), real-time location tracking of any subscriber whose carrier does not filter malicious SS7 messages, and forced call forwarding. These attacks affect 5G subscribers by targeting them through their legacy network identities during roaming or through carriers that have not fully protected their SS7 interconnects. A 5G subscriber receiving a 2FA SMS can have that SMS intercepted via SS7 attack. The phone is on a 5G network; the attack exploits the signaling infrastructure that predates 5G by 50 years.
The supply chain dimension is geopolitical. Huawei and ZTE, the two largest Chinese telecommunications equipment manufacturers, hold significant market share in radio access network and core equipment globally. The United States, United Kingdom, European Union, Australia, Canada, and other Five Eyes and NATO-aligned nations have restricted or banned these vendors from their 5G infrastructure based on concerns about the vendors' relationship with the Chinese government and the risk of covert access capabilities embedded in network equipment. These concerns are not primarily about technical backdoors in a conventional sense; they include the vendors' obligations under Chinese national security law, which requires companies to cooperate with state intelligence activities.
CISA issued telecom-specific cybersecurity guidance addressing 5G security architecture in 2021 and has continued to update advisories as the threat landscape evolves.
Technical Details
The distinction between 5G Non-Standalone (NSA) and 5G Standalone (SA) architecture is critical for security. In NSA architecture, the 5G radio network connects to a 4G LTE core network. This is the most common current deployment because it allows rapid 5G rollout by reusing existing 4G core infrastructure. However, NSA inherits the 4G core's authentication model, meaning devices on NSA 5G networks do not benefit from 5G's mutual authentication improvements. IMSI catchers that force a device to fall back to 4G can still capture subscriber identities from NSA 5G deployments.
In SA architecture, the 5G radio connects to a true 5G core network (implementing the 3GPP-defined 5G System architecture). SA deployments provide the full security benefits of 5G, including SUCI protection and mutual authentication. Carrier transitions from NSA to SA are ongoing but incomplete in most markets as of 2024 to 2025.
The 3GPP Release 16 and 17 specifications (the standards defining 5G enhancements) introduced additional security features including user plane integrity protection (applying integrity checking to user data, not just signaling), AKMA (Authentication and Key Management for Applications, enabling application-level authentication using 5G credentials), and enhanced location privacy for lawful intercept frameworks.
Rogue base station attacks remain effective against devices that downgrade to 4G or 3G in areas without 5G coverage or when IMSI catchers force degradation. 5G SA architecture can be configured to refuse degradation to insecure legacy modes, but this requires carrier configuration and may impact coverage in areas without SA deployment.
6G research addresses some 5G limitations at the architectural level. AI-native network design integrates intelligence into the network protocol stack rather than treating AI as an overlay. This creates new security considerations (adversarial manipulation of network AI functions) alongside new capabilities (real-time anomaly detection at the network level). Terahertz (THz) frequency bands planned for 6G offer extremely high bandwidth but have very limited propagation range, meaning 6G cells will be dense and small, changing the physical security geometry of base station deployment. Integrated Sensing and Communication (ISAC) in 6G allows the same radio infrastructure to provide both communications and radar sensing, creating a pervasive sensing layer with significant privacy implications.
CDA Perspective
Within SPH, CDA's Autonomous Posture Command (APC) methodology incorporates 5G-specific controls for telecommunications clients and enterprise organizations deploying private 5G networks. CISA's 2021 publication "Security Considerations for 5G Network Slicing" and associated guidance form the regulatory baseline for APC control mapping in 5G environments. For enterprise clients, private 5G deployments for OT environments (factory floors, campuses, logistics facilities) require security architecture that accounts for network slicing boundaries, authentication for IoT endpoints, and integration with existing IT security monitoring infrastructure.
Within IAT, Zero Possession Architecture (ZPA) applied to telecommunications environments means re-examining assumptions built around SS7-delivered two-factor authentication. Organizations that rely on SMS-based 2FA are using a channel vulnerable to SS7 interception regardless of whether the subscriber's device is on 5G. ZPA recommends authenticator-app or hardware-token-based authentication over SMS delivery for any authentication that carries meaningful security weight. This recommendation becomes more urgent for high-value targets (executives, government personnel, financial services accounts) where SS7 attacks are actively deployed.
Within DPS, the Sovereign Data Protocol (SDP) applies to 5G's data implications. Network slicing and telemetry data generated by 5G infrastructure (call records, device locations, usage patterns) are highly sensitive. For government and regulated-industry clients, SDP includes ensuring that 5G network infrastructure (particularly vendor equipment) does not create uncontrolled data exfiltration pathways to foreign intelligence services.
CDA's position on SMS-based 2FA is that it should be treated as a deprecated control for any account that a motivated adversary might target. The SS7 attack path is well-established, accessible to sophisticated criminal actors as well as nation-states, and bypasses all the security improvements in the 5G radio and core network.
Key Takeaways
- 5G's two primary security improvements over 4G are Subscriber Concealed Identifier (SUCI), which encrypts subscriber identity to prevent IMSI catcher capture, and mutual authentication, which allows devices to verify the network's identity and resist fake base stations. Both require 5G Standalone architecture to fully function.
- SS7 vulnerabilities persist in 5G because the global mobile ecosystem requires backward compatibility with legacy network signaling. SMS interception, location tracking, and call interception attacks that exploit SS7 remain effective against 5G subscribers through their legacy network identities.
- Network slicing enables logically separated networks on shared physical infrastructure, supporting differentiated security policies for enterprise, IoT, and consumer applications.
- The Huawei and ZTE supply chain concern is not primarily technical backdoor detection; it is about vendor obligations under Chinese national security law and the structural risk of dependent critical infrastructure.
- SMS-based two-factor authentication is vulnerable to SS7 interception regardless of the subscriber's access technology. Organizations should migrate high-value accounts to authenticator apps or hardware tokens.
- 6G, anticipated around 2030, will introduce AI-native network design, THz frequencies, and integrated sensing and communication, each with distinct security implications that standards bodies are still defining.
Sources
- 3GPP. (2022). TS 33.501: Security Architecture and Procedures for 5G System. 3rd Generation Partnership Project.
- CISA. (2021). Security Considerations for 5G Network Slicing. cisa.gov.
- CISA. (2021). Potential Threat Vectors to 5G Infrastructure. cisa.gov.
- GSMA. (2021). 5G Cybersecurity Knowledge Base. gsma.com/security.
- Positive Technologies. (2018). SS7 Vulnerability Assessment. ptsecurity.com.
- FCC. (2020). Report on International Originating Signaling Attacks: SS7 and Diameter. Federal Communications Commission.
- U.S. Senate Intelligence Committee. (2018). Threats to U.S. Communications Networks: SS7 Vulnerabilities. intelligence.senate.gov.
- NIST. (2020). NIST SP 1800-33: 5G Cybersecurity. National Institute of Standards and Technology.
- ITU-R. (2023). IMT-2030 (6G) Framework Recommendation M.2160. International Telecommunication Union.
- Karmakar, A., et al. (2023). "Security and Privacy for 6G: A Survey on Prospective Technologies and Challenges." IEEE Communications Surveys and Tutorials.